b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                The Office of Safeguards Should Improve\n               Management Oversight and Internal Controls\n                  to Ensure the Effective Protection of\n                        Federal Tax Information\n\n\n\n                                     September 15, 2014\n\n                             Reference Number: 2014-20-059\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nTHE OFFICE OF SAFEGUARDS SHOULD                       at agencies receiving FTI and 2) does not\nIMPROVE MANAGEMENT OVERSIGHT                          conduct on-site review tests on each\nAND INTERNAL CONTROLS TO ENSURE                       agency\xe2\x80\x99s background investigation policies\nTHE EFFECTIVE PROTECTION OF                           and procedures.\nFEDERAL TAX INFORMATION                               Effective controls have not been established to\n                                                      ensure that the IRS\xe2\x80\x99s annual report on the\n                                                      safeguards of agencies that receive FTI is timely\nHighlights                                            submitted to the required U.S. congressional\n                                                      committees. In addition, policies and\nFinal Report issued on                                procedures do not require that information\nSeptember 15, 2014                                    technology security test plans be designed with\n                                                      subtests weighted according to risk.\nHighlights of Reference Number: 2014-20-059\n                                                      WHAT TIGTA RECOMMENDED\nto the Internal Revenue Service Deputy\nCommissioner for Operations Support.                  TIGTA recommended that the Deputy\n                                                      Commissioner for Operations Support ensure\nIMPACT ON TAXPAYERS                                   that on-site agency reviews are conducted prior\nInternal Revenue Code Section 6103 authorizes         to the release of FTI for any new systems or\nthe IRS to disclose Federal Tax Information           agencies receiving FTI for the first time unless\n(FTI) to various Federal agencies, State and          an independent security assessment or IRS\nlocal entities, and U.S. territories. It also         risk-based assessment is performed that\nrequires recipients of FTI to establish effective     includes the IRS requirements for the security of\nsafeguards for ensuring that taxpayer                 FTI and the assessment is reviewed and\ninformation is protected from unauthorized use        approved/prepared by the Office of Safeguards;\nand disclosure. If required safeguards for FTI        establish and ensure that background\nare not established and maintained, the FTI is at     investigation requirements for all agency\nan increased risk of unauthorized use and             employees and contractors with access to FTI\ndisclosure.                                           are consistent with the IRS\xe2\x80\x99s background\n                                                      investigation requirements; ensure that\nWHY TIGTA DID THE AUDIT                               background investigation validation tests are\n                                                      conducted during on-site agency reviews;\nThis audit was initiated to determine if the Office\n                                                      improve congressional reporting timeliness; and\nof Safeguards provides adequate oversight of\n                                                      improve on-site information technology security\nthe agencies that receive FTI. Federal\n                                                      testing processes.\nregulations govern the confidentiality of FTI\nprovided to agencies, and agencies must follow        In their response to the report, IRS management\nthose requirements to receive it.                     partially agreed with the first recommendation\n                                                      and agreed with the other seven. The IRS plans\nWHAT TIGTA FOUND                                      to conduct an initial risk-based assessment\nWhile the Office of Safeguards conducts on-site       before authorizing the release of FTI to an\nagency reviews to ensure that adequate                agency for the first time and develop a\nsafeguards are maintained, the reviews are            comprehensive policy to detail requirements;\nconducted after FTI is released to agencies.          develop specific background investigation\nThis occurs in part because the IRS\xe2\x80\x99s Internal        requirements for external agency employees\nRevenue Manual does not require the                   and the agency\xe2\x80\x99s contractors authorized to\nperformance of on-site validation of an agency\xe2\x80\x99s      access FTI; conduct background investigation\nability to protect FTI prior to its release to the    validation tests; and timely submit reports to\nagency.                                               Congress. The IRS also deployed a new\n                                                      management information system to provide\nIn addition, the Office of Safeguards 1) does         enhanced tracking capabilities for the list of\nnot set specific background investigation             active agencies, reports, and related documents.\nrequirements for employees and contractors\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 15, 2014\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Office of Safeguards Should Improve\n                             Management Oversight and Internal Controls to Ensure the Effective\n                             Protection of Federal Tax Information (Audit # 201320029)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) Office of Safeguards effectively provides oversight of agencies that receive Federal Tax\n Information. This review is included in the Treasury Inspector General for Tax Administration\n Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Security\n for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Danny Verneuille, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                   The Office of Safeguards Should Improve\n                             Management Oversight and Internal Controls to Ensure\n                              the Effective Protection of Federal Tax Information\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Office of Safeguards Does Not Conduct\n          On-Site Reviews of Agencies Prior to Release\n          of Federal Tax Information ........................................................................... Page 4\n                    Recommendation 1:........................................................ Page 5\n\n          The Office of Safeguards Does Not Require and\n          Ensure That Agencies Conduct Proper Background\n          Investigations ................................................................................................ Page 6\n                    Recommendations 2 and 3: .............................................. Page 8\n\n          The Office of Safeguards Needs to Strengthen Its\n          Congressional Reporting and On-Site Information\n          Technology Security Testing Processes........................................................ Page 8\n                    Recommendation 4:........................................................ Page 9\n\n                    Recommendation 5:........................................................ Page 10\n\n          The Office of Safeguards\xe2\x80\x99 Program Controls Need\n          Improvement ................................................................................................. Page 10\n                    Recommendations 6 through 8:......................................... Page 16\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 21\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 23\n\x0c               The Office of Safeguards Should Improve\n         Management Oversight and Internal Controls to Ensure\n          the Effective Protection of Federal Tax Information\n\n\n\n\n                    Abbreviations\n\nACA           Affordable Care Act\nCAP           Corrective Action Plan\nFTI           Federal Tax Information\nGLDS          Governmental Liaison, Disclosure, and Safeguards\nI.R.C.        Internal Revenue Code\nIRM           Internal Revenue Manual\nIRS           Internal Revenue Service\nSAR           Safeguards Activity Report\nSPR           Safeguard Procedures Report\nSRR           Safeguard Review Report\n\x0c                               The Office of Safeguards Should Improve\n                         Management Oversight and Internal Controls to Ensure\n                          the Effective Protection of Federal Tax Information\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) provides Federal Tax Information (FTI)1 to approximately\n280 Federal agencies, State and local entities, and U.S. territories (hereafter referred to as\nagencies). It is authorized under Internal Revenue Code (I.R.C.) Section (\xc2\xa7) 6103 to disclose\nFTI to agencies. The agencies use FTI for various reasons such as to locate delinquent\ntaxpayers, assist in determining whether a taxpayer can pay on a defaulted debt, and determine\nwhether discrepancies exist in the reporting of income.\nI.R.C. \xc2\xa7 6103(p)(4), Internal Revenue Manual Section (IRM) 11.3.36,2 and IRS\nPublication 1075, Tax Information Security Guidelines For Federal, State, and Local Agencies,3\nrequire recipients of FTI to establish procedures to ensure the adequate protection of FTI\nreceived. I.R.C. \xc2\xa7 6103(p)(4) and (7) authorizes the IRS to remove FTI if misuse and/or\ninadequate safeguards are in place to protect it from unauthorized use and disclosure. The Office\nof Safeguards (hereafter referred to as the Office) is in the Governmental Liaison, Disclosure,\nand Safeguards (GLDS) function of the Privacy, Governmental Liaison, and Disclosure business\nunit within the IRS Operations Support organization and has oversight responsibility of agencies\nthat receive FTI subject to I.R.C. \xc2\xa7 6103(p)(4) to ensure that adequate safeguards are maintained.\nThe IRS is responsible for producing and revising Publication 1075, which provides guidance to\nagencies regarding the required safeguard procedures necessary to protect FTI.\nBefore agencies can receive FTI, they must submit a formal report called a Safeguard Procedures\nReport (SPR) that describes how the agency will protect and safeguard FTI in accordance with\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075. Agencies are then required to submit\nan SPR every six years or when significant changes in their safeguard procedures occur. In\naddition to the SPRs, agencies must submit annually a Safeguards Activity Report (SAR) to\ndescribe any changes to their safeguard procedures, advise of future actions that will affect such\nprocedures, and certify they are protecting FTI in accordance with I.R.C. \xc2\xa7 6103(p)(4),\nIRM 11.3.36, and Publication 1075. The SPRs must be reviewed by the Office within\n60 calendar days of receipt, and the SARs must be reviewed within 45 calendar days of receipt.\n\nAgency reviews\nOn-site reviews of agencies receiving FTI are required to be conducted by the Office a minimum\nof once every three years. The reviews are designed to ensure compliance with\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075 regarding recordkeeping, secure storage,\nrestricting access, other safeguards related to employee awareness and internal inspections,\n\n1\n  See Appendix IV for a glossary of terms.\n2\n  Dated Aug. 2008.\n3\n  Dated Aug. 2010.\n                                                                                           Page 1\n\x0c                                       The Office of Safeguards Should Improve\n                                 Management Oversight and Internal Controls to Ensure\n                                  the Effective Protection of Federal Tax Information\n\n\nreporting requirements, and disposal. The on-site agency reviews are generally conducted over a\nthree-day period.\nThe Office\xe2\x80\x99s review teams are made up of disclosure enforcement specialists and information\ntechnology specialists. Disclosure enforcement specialists lead the reviews and are responsible\nfor reviewing the agencies\xe2\x80\x99 physical security, privacy, and disclosure policies and procedures.\nMost of the information technology specialists are contract employees and perform information\ntechnology security reviews under the direction of the review team\xe2\x80\x99s lead disclosure enforcement\nspecialists. The review teams use test plans to assist in validating the adequacy of the agencies\xe2\x80\x99\nsafeguard controls and are generally designed in accordance with I.R.C. \xc2\xa7 6103(p)(4) and the\nNational Institute of Standards and Technology\xe2\x80\x99s Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems and Organizations, Revision 3, controls.4\nOnce an on-site review has been completed, the review team provides the agency an interim\nreport and a draft findings document called an interim Corrective Action Plan (CAP) report that\nlists any deficiencies found during the review. The agency is then required to respond through\nwritten statements and/or supporting documentation of the corrective actions that have been or\nwill be taken to address the identified deficiencies. The interim report and interim CAP report\nare required to be issued within 45 calendar days of the on-site review closing conference that is\nheld on the last day of the on-site review. The agency has 45 calendar days to respond to the\ninterim report, after which the review team has 45 calendar days to issue a final report and a final\nCAP report. Figure 1 illustrates the 45 calendar day requirement.\n                           Figure 1: Timeline of Requirements for the Office\xe2\x80\x99s\n                         Report Issuance and for Agencies\xe2\x80\x99 Response to Reports\nThe Office of Safeguards\xe2\x80\x99                                                      The agency responds\n                                            The review team                                                            The review team\n review team conducts a                                                       to the interim report by\n                             45 Calendar   issues the interim   45 Calendar                              45 Calendar    issues the final\n closing conference with                                                        detailing its planned\n                                Days        report and CAP         Days                                     Days        report and final\n  the agency on the last                                                       actions to receive the\n                                                 report.                                                                  CAP Report.\nday of the on-site review.                                                             findings.\n\n\n    Source: The Office\xe2\x80\x99s preliminary report documents provided to agencies and discussed with management.\n\nIn addition, responsibilities of the Safeguard Program were recently expanded. The Patient\nProtection and Affordable Care Act of 20105 and the Health Care and Education Reconciliation\nAct of 20106 (hereafter collectively referred to as the Affordable Care Act (ACA)) were both\nsigned into law in March 2010. The ACA seeks to provide more Americans with access to\naffordable health care by creating a new Health Insurance Exchange, enforcing patient/consumer\nprotections, and providing Government subsidies for people who cannot afford insurance. The\nexchange provisions of the ACA are centered on implementing tax provisions associated with\n\n4\n  Dated Aug. 2009.\n5\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n6\n  Pub. L. No. 111-152, 124 Stat. 1029. (See Affordable Care Act, infra).\n                                                                                                                              Page 2\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\nFederal and State health insurance exchanges. Under these provisions, the IRS is required to\nsupport eligibility and enrollment in health insurance exchanges by providing income and family\nsize information that is classified as FTI. The IRS must provide this FTI disclosure to the\nU.S. Department of Health and Human Services, which will disclose FTI to the health care\nexchanges for use in the determination of health care qualifications and subsidies. The Office is\nresponsible for oversight of this disclosure and ensuring that the exchanges have required\nsafeguards in place. We are currently conducting an information technology security audit\nfocused specifically on the processes used by the IRS to review and approve ACA-related\nrequests for FTI based on the SPRs submitted by ACA agencies.\nThis review was performed at the Office of Safeguards in Dallas, Texas, the Texas Office of\nAttorney General Child Support in Austin, Texas, and the Montana Department of Revenue\noffices in Helena, Montana, during the period May 2013 through May 2014. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\n\n\n                                Results of Review\n\nThe Office of Safeguards Does Not Conduct On-Site Reviews of\nAgencies Prior to Release of Federal Tax Information\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075 require agencies that request or receive\nFTI provide to the IRS a report that describes safeguards established and used by the agency for\nensuring that FTI is protected. Therefore, the agencies and their contractors must file an SPR\nwith the IRS and obtain approval prior to the receipt of FTI. The SPR must describe how the\nagency and its contractors will protect and safeguard FTI in accordance with I.R.C. \xc2\xa7 6103(p)(4),\nIRM 11.3.36, and Publication 1075. The SPR must contain written descriptions and supporting\ndocumentation that provide sufficient evidence that FTI is protected at all points where it is\nreceived, processed, stored, and/or maintained.\nAfter the SPR has been submitted, the Office reviews the document to determine if there is\nsufficient documented evidence that the safeguards established adequately secure FTI. If the\nSPR is approved by the Office, the IRS releases the requested FTI without on-site verification\nthat the controls, processes, and procedures are actually established. The Office does not\nperform independent validation of the information provided on the SPR until an on-site agency\nreview is conducted by the Office review team. On-site agency reviews are scheduled by the\nOffice a minimum of one to three years after an agency has begun receiving FTI.\nIn addition, we conducted preliminary work in August 2013 on the GLDS business unit\xe2\x80\x99s efforts\nto approve agencies that requested FTI due to the ACA. The GLDS business unit created a\nseparate ACA review team to handle the ACA-related SPR review and approval process. The\nACA review team was not a part of the Office and reported to the Director, Privacy,\nGovernmental Liaison, and Disclosure. These ACA-related SPRs were tracked, controlled, and\napproved by this separate review team. The ACA review team stated that it conducted on-site\nagency reviews that entailed some validation prior to SPR approval. However, the on-site\nreviews were conducted before the agency systems and procedures were fully developed and\nimplemented. Once the SPR was approved, the FTI was released and the Office was instructed\nto add these approved ACA-related agencies to its on-site review schedule. At the time of our\nreview, agencies in 27 States had requested or planned to request FTI in support of fulfilling\ntheir responsibilities related to the ACA legislation. This separate review team was operating\nindependent of the Office\xe2\x80\x99s normal SPR review process for receiving FTI and developed its own\nprocedures for reviewing ACA-related SPR submissions and approvals.\nWhile the IRM requires the Office to conduct on-site agency reviews once every three years, it\ndoes not require the Office to perform on-site validation of an agency\xe2\x80\x99s ability to protect FTI\n\n\n                                                                                          Page 4\n\x0c                            The Office of Safeguards Should Improve\n                      Management Oversight and Internal Controls to Ensure\n                       the Effective Protection of Federal Tax Information\n\n\nprior to its release to the agency. IRM 11.3.36 states that on-site reviews may be conducted\nwithin 12 months of an agency initially receiving FTI.\nThe Office\xe2\x80\x99s management stated that the SPRs submitted by the agencies provide sufficient\nevidence for the Office to determine whether an agency can protect FTI at all points where it is\nreceived, processed, stored, and/or maintained. Management does not believe it is practical to\nconduct on-site reviews of agencies prior to their receipt of FTI because, in their view, the\nevaluation would not determine how agencies actually are performing the safeguards established.\nAdditionally, management believes that review teams may only discover all agency locations of\nFTI during the on-site reviews after receipt of FTI, as agencies do not always accurately\ndocument processes on the submitted SPRs. Management also believes that if the Office\nconducts on-site reviews before FTI is received by an agency, the safeguards established for all\nFTI maintained could not be evaluated.\nAgencies that request FTI must demonstrate the ability to safeguard FTI prior to its receipt.\nWhen the primary assessment by the Office of an agency\xe2\x80\x99s safeguarding processes, i.e., on-site\nreviews, is performed one to three years after receipt of FTI, there is a significant risk that FTI\nprovided may be subjected to unauthorized disclosure and use. Until a complete on-site review\nis conducted, FTI is vulnerable to unauthorized use and disclosure, and taxpayers cannot be\nassured that their FTI is properly safeguarded.\nManagement actions\nAfter the completion of our fieldwork and in discussions with the Office\xe2\x80\x99s executive\nmanagement, the IRS stated that the Office is not following the IRM and that the IRM is\noutdated. The IRS stated that the requirement for an on-site review to be conducted a minimum\nof one to three years after an agency has begun receiving FTI is no longer the requirement. The\nOffice now performs a risk-based approach to conduct on-site reviews, which determines how\noften an on-site review is conducted. In addition, IRS management prefers that an agency\nreceive FTI for a minimum of 30 calendar days prior to any on-site review.\n\nRecommendation\nThe Deputy Commissioner for Operations Support should:\nRecommendation 1: Establish policies and procedures to require that on-site agency reviews\nare conducted prior to the initial release of FTI for any new systems or agencies receiving FTI\nfor the first time, unless an independent security assessment or IRS risk-based assessment is\nperformed that includes the IRS requirements for the security of FTI, the assessment is reviewed\nand approved/prepared by the Office of Safeguards, and any significant security deficiencies\nidentified are resolved.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with the recommendation. The\n       IRS will conduct an initial risk-based assessment before authorizing the release of FTI to\n\n                                                                                              Page 5\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\n       an agency for the first time. The Office will develop a comprehensive policy to detail\n       agency requirements to include an independent security assessment, IRS risk-based\n       assessment, or a modified on-site review prior to initial release of FTI. The policy will\n       detail risk-based criteria for release of data as well as actions taken to mitigate certain\n       vulnerabilities before approval of the data exchange. The requirement will be published\n       in the next revision of Publication 1075.\n\nThe Office of Safeguards Does Not Require and Ensure That Agencies\nConduct Proper Background Investigations\nFederal agencies are required to conduct a Minimal Background Investigation on all potential\nemployees designated as moderate risk, including individuals hired to access or use FTI. The\nbackground investigation required for Federal employees with access to FTI includes\n1) fingerprints as part of the preemployment background check; 2) a National Agency Check\nplus credit search and checks at local law enforcement agencies where the subject has lived,\nworked, and/or attended school within the last five years and, if applicable, of the appropriate\nagency for any identified arrests; 3) a personal subject interview; 4) written inquiries to\nemployers, schools, and references for the past five years; and 5) a periodic reinvestigation once\nevery 10 years.\nThe IRS\xe2\x80\x99s Human Resource Division requires the Federal Minimal Background Investigation for\nall positions within the IRS designated as moderate risk, including positions with access to FTI.\nOnce completed and approved, the Minimal Background Investigation would provide an IRS\nemployee with a National Security Non-Critical Sensitive clearance and authorization to access\nFTI if access is required to perform the employee\xe2\x80\x99s official duties.\nThe IRS does not set specific background investigation requirements for employees and\ncontractors at agencies receiving FTI or for agency employees and contractors with access to\nFTI. The IRS allows each agency that receives FTI to set its own background investigation\npolicies and requirements. Additionally, the Office does not conduct on-site review tests on each\nagency\xe2\x80\x99s background investigation policies and procedures or on agency employees to determine\nif background investigations have been performed by the agency receiving FTI.\nWe selected 15 agencies currently receiving FTI. We requested each agency\xe2\x80\x99s background\ninvestigation policies and compared them to the IRS\xe2\x80\x99s background investigation requirements.\nNone of the 15 agencies reviewed had background investigation policies that require the same\nlevel of background investigation that is required for IRS personnel and contractors with access\nto FTI. Based on our review of background policies and procedures for the 15 agencies\nreceiving FTI, we found:\n   \xef\x82\xb7   Four of the 15 agencies conduct fingerprint testing.\n   \xef\x82\xb7   Eleven of the 15 agencies conduct State-level background investigations.\n\n\n                                                                                            Page 6\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\n   \xef\x82\xb7   One of the 15 agencies conducts national-level background investigations.\n   \xef\x82\xb7   Seven of the 15 agencies may hire individuals convicted of crimes. The decision to hire\n       such individuals is based on the nature of the crime committed, the time elapsed, and the\n       duties of the position that would be filled.\n   \xef\x82\xb7   Two of the 15 agencies conduct additional background investigations on individuals\n       hired to access data.\n   \xef\x82\xb7   One of the 15 agencies checks sex offender registries.\n   \xef\x82\xb7   Six of the 15 agencies conduct tax compliance checks.\nIRS Publication 1075 does not provide explicit requirements for background investigations\nagencies conduct on employees and contractors authorized to access FTI. It only requires\nbackground investigations to be performed and suggests additional checks may be necessary\nwhen agency employees will have access to entire sets of FTI records, e.g., database\nadministrators. The publication also does not require agencies to adhere to the same background\ninvestigation requirements as IRS employees and contractors with access to FTI.\nDuring a discussion with the Office\xe2\x80\x99s executive management at the end of our fieldwork,\nmanagement stated that the IRS should set specific minimum standards that an agency must meet\nfor both employees and contractors with access to FTI. While executive management does not\nbelieve these standards should be an exact replication of the Minimal Background Investigation\nreferenced for IRS employees, the standards should be set at a high level in Publication 1075.\nThe Office\xe2\x80\x99s executive management believes these standards should contain requirements such\nas fingerprints, national and local criminal checks, and an agency-written policy specific to FTI.\nInconsistent agency polices and background investigations are being implemented/performed for\nagency employees and contractors with access to FTI. Agency employees and contractors with\naccess to FTI do not have to obtain the same type of background investigation as IRS employees\nand contractors with access to FTI. When agency background investigation policies and\nprocedures are not consistent with the IRS\xe2\x80\x99s background investigation policy and the Office does\nnot conduct tests related to background investigations, agencies may hire individuals with\nbackgrounds unsuited for access to FTI. The lack of specific background investigation\nrequirements by the Office for agency personnel and contractors with access to FTI creates a\nsignificant risk that FTI provided may be subjected to unauthorized use and disclosure. In\naddition, the IRS cannot assure taxpayers that their FTI is properly safeguarded.\n\n\n\n\n                                                                                           Page 7\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 2: Establish and ensure that background investigation requirements for all\nagency employees and contractors that have access to FTI are consistent with the IRS\xe2\x80\x99s\nbackground investigation requirements for access to FTI.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Office of\n       Safeguards will evaluate the current IRS standards for background investigations and\n       develop specific requirements for external agency employees and the agency\xe2\x80\x99s\n       contractors authorized to access FTI that are subject to IRC \xc2\xa7 6103(p)(4) oversight.\n       These standards will be published in Publication 1075 and compliance will be evaluated\n       as part of the on-site review process.\nRecommendation 3: Include background investigation validation tests during the Office of\nSafeguards\xe2\x80\x99 on-site reviews for all agencies receiving FTI.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Once the\n       specific background investigation requirements for external agencies and contractors are\n       established and published, the validation testing will become part of each on-site review.\n       Specific tests will be developed and training delivered to staff to ensure that a random\n       sampling of investigations is evaluated.\n\nThe Office of Safeguards Needs to Strengthen Its Congressional\nReporting and On-Site Information Technology Security Testing\nProcesses\nManagement oversight of congressional reporting requirement needs\nimprovement\nI.R.C. \xc2\xa7 6103(p)(5) and IRM 11.3.36 require the Office to annually report to Congress on the\nprocedures and safeguards of agencies that receive FTI. IRM Section 11.3.36.13(2) indicates the\nreport will be submitted internally to the Director of the Office for approval on or before\nMarch 31 of each year. The report is then submitted through appropriate management levels for\nthe IRS Commissioner\xe2\x80\x99s signature before it is issued to the U.S. Congress, U.S. House of\nRepresentatives Committee on Ways and Means, U.S. Senate Committee on Finance, and Joint\nCommittee on Taxation.\nThe Office\xe2\x80\x99s annual report to Congress for Calendar Years 2010, 2011, and 2012 was not\nsubmitted to the Director of the Office timely, and the Calendar Year 2010 and 2011 reports\nwere not issued to the required U.S. congressional committees timely. The Calendar Year 2010\nannual report was submitted to the Office\xe2\x80\x99s Director in May 2011, the Calendar Year 2011\nannual report was submitted in May 2012, and the Calendar Year 2012 annual report was\n\n                                                                                           Page 8\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\nsubmitted in April 2013. During the fieldwork for this audit, the annual reports for Calendar\nYears 2010, 2011, and 2012 were all submitted to the required U.S. congressional committees in\nMay 2013.\nThe Office\xe2\x80\x99s management does not have effective management controls established to ensure\nthat the annual report on the procedures and safeguards of agencies that receive FTI is timely\nsubmitted to the required U.S. congressional committees. When the appropriate congressional\ncommittees are not provided with timely reports of the procedures and safeguards of agencies\nthat receive FTI, the committees cannot provide timely oversight of the IRS\xe2\x80\x99s FTI-sharing\nactivities and agencies\xe2\x80\x99 accountability for securing FTI.\n\nAgency on-site reviews of information technology security requirements need\nimprovement\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075 require that access to FTI be restricted to\nonly persons whose duties or responsibilities require access. It is the responsibility of the Office\nto review information technology infrastructures for agencies receiving FTI. The Office is also\nrequired to ensure that these agencies have built required security controls, according to\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075, into their information technology\ninfrastructures.\nThe Office\xe2\x80\x99s information technology specialists use information technology security test plans\ndesigned to identify vulnerabilities in agencies\xe2\x80\x99 information technology environments. There are\ntest plans designed for each type of environment and software/application in use by the agencies.\nThese security test plans are comprised of multiple subtests that receive a \xe2\x80\x9cpass\xe2\x80\x9d or \xe2\x80\x9cfail\xe2\x80\x9d rating.\nAn overall percentage score is calculated based on the total number of tests passed versus tests\nconducted. However, the test plans do not emphasize higher risk vulnerabilities as all tests are\nequally weighted. This provides an overall pass rate that is not representative of the risk to the\nFTI stored in these information technology environments.\nThe Office does not require information technology security test plans to be weighted according\nto risk because it does not have written policies and procedures that require the test plans be\ndesigned with subtests weighted according to the FTI risk to unauthorized disclosure and use.\nUsing information technology security tests that are equally weighted does not adequately\ndetermine the actual risk to FTI stored in the agencies\xe2\x80\x99 information technology environment.\nAs a result, the Office cannot attest to taxpayers that their FTI is safeguarded from unauthorized\naccess and use.\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 4: Establish roles and responsibilities for ensuring that the annual report to\nCongress on the procedures and safeguards of agencies that receive FTI is delivered timely.\n\n                                                                                             Page 9\n\x0c                           The Office of Safeguards Should Improve\n                     Management Oversight and Internal Controls to Ensure\n                      the Effective Protection of Federal Tax Information\n\n\n       Management\xe2\x80\x99s Response: The IRS independently took action on this issue prior to\n       the recommendation. Procedures to compile the report were streamlined, and the annual\n       report for Calendar Year 2013 was timely submitted to Congress.\n       Office of Audit Comment: During the fieldwork for this audit, the IRS had not\n       submitted its annual report to Congress for Calendar Years 2010 and 2011. After the\n       audit team requested the annual reports, the IRS took action on this issue by ensuring that\n       the 2010, 2011, and 2012 annual reports were submitted to Congress in May 2013.\nRecommendation 5: Ensure that the significance of each information technology security\ntest is weighted according to the FTI risk to unauthorized disclosure and use.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Office of\n       Safeguards started the process of ranking each individual test case used to review systems\n       based on severity. Once completed, the scoring will provide a more accurate risk-based\n       ranking of devices that receive, process, store, and transmit FTI.\n\nThe Office of Safeguards\xe2\x80\x99 Program Controls Need Improvement\nThe Office\xe2\x80\x99s list of agencies receiving FTI and the agency on-site review schedule\nneed improvement\nI.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and Publication 1075 require that the IRS maintain a\npermanent system of standardized records or accountings of all requests for inspection or\ndisclosure of FTI and of FTI inspected or disclosed. The GLDS business unit is responsible for\nmaintaining complete and current documentation of the agencies that receive FTI under\nI.R.C. \xc2\xa7 6103(p)(4) and records of the data elements that are provided to the agency.\nThe Office is also responsible, once FTI has been provided to an agency, to ensure that on-site\nreviews of that agency are conducted at a minimum of once every three years. The Office\ndevelops annual review plans for all agencies on record as receiving FTI from the IRS to ensure\nthat all agencies are reviewed once every three years. The Office maintains records of its on-site\nreviews in the Electronic Disclosure Information Management System.\nWe compared the list of all agencies authorized to receive FTI to the schedules for the Office\xe2\x80\x99s\non-site reviews for Fiscal Years 2011, 2012, and 2013. We found:\n   \xef\x82\xb7   Seven agencies were not reviewed within the required three-year time frame.\n   \xef\x82\xb7   Five agencies are presently scheduled to be reviewed after the required three-year time\n       frame.\n   \xef\x82\xb7   Two agencies scheduled to be reviewed in Fiscal Year 2013 were not included on the list.\n   \xef\x82\xb7   Fifteen agencies on the list are not currently receiving FTI and are not designated as such.\n\n\n                                                                                           Page 10\n\x0c                            The Office of Safeguards Should Improve\n                      Management Oversight and Internal Controls to Ensure\n                       the Effective Protection of Federal Tax Information\n\n\nThe Office does not have sufficient management oversight and written policies and procedures in\nplace to ensure that all agencies are reviewed within the three-year requirement and to ensure\nthat the agency list is accurately and timely updated to reflect current FTI receipt status. Without\neffective management oversight and written policies and procedures in place, the Office cannot\nfulfill its responsibility for oversight of the safeguard controls in place at agencies receiving FTI\na minimum of every three years. The Office also cannot assure taxpayers that their FTI is\nprotected.\n\nTimeliness of document delivery/receipt and reviews and the completeness of\nagency files need improvement\nIRM 11.3.36 and Publication 1075 require agencies to submit to the Office an SPR at a minimum\nof every six years or when significant changes in their safeguarding procedures occur, and\nagencies must submit an SAR annually. The SPR and SAR describe in detail the safeguard\nprocedures agencies implement in accordance with I.R.C. \xc2\xa7 6103(p)(4), IRM 11.3.36, and\nPublication 1075 for the safeguarding of FTI. The SPR must be reviewed after receipt by the\nOffice within 60 calendar days, and the SAR must be reviewed by the Office within 45 calendar\ndays. After the Office completes the review of the SPR or the SAR, it is submitted along with a\ndelivery acceptance form (reflecting the delivery dates and due dates) for quality review. Once\napproved, an acceptance letter is submitted to the agency.\nThe Office review teams are required to conduct on-site reviews of agencies at a minimum of\nonce every three years. The reviews are designed to ensure compliance with I.R.C. \xc2\xa7 6103(p)(4),\nIRM 11.3.36, and Publication 1075 regarding recordkeeping, secure storage, restricting access,\nother safeguards related to employee awareness and internal inspections, reporting requirements,\nand disposal of FTI. After the Office review team completes an on-site review, it issues an\ninterim Safeguard Review Report (SRR) and an interim CAP report within 45 calendar days of\nthe on-site review closing conference. The agency has 45 calendar days to respond to the interim\nSRR, after which the review team has 45 calendar days to issue a final SRR and a final CAP\nreport. Publication 1075 requires agencies to submit, to the Office, biannual CAP reports that\naddress any unresolved deficiencies until all deficiencies have been resolved and the corrective\nactions taken have been approved by the Office. The Office\xe2\x80\x99s information technology specialists\nreview and monitor incoming biannual CAP reports.\nThe Office requires agencies to correct deficiencies within the established time frame for each\ncategory. The Office categorizes deficiencies by risk, and the risk is based on the potential for\nloss, breach, or misuse of FTI. A category of catastrophic is the most serious, and agencies must\ncorrect this type of deficiency within three months of the on-site review closing conference.\nThere are three other categories of deficiencies by risk: significant, which must be corrected\nwithin six months; moderate, which must be corrected within nine months; and limited, which\nmust be corrected within 12 months.\nThe Office is required to keep workpaper documentation of its on-site reviews and mandatory\nreporting requirements for all agencies that are receiving FTI. The workpapers from the Office\xe2\x80\x99s\n                                                                                            Page 11\n\x0c                                  The Office of Safeguards Should Improve\n                            Management Oversight and Internal Controls to Ensure\n                             the Effective Protection of Federal Tax Information\n\n\non-site reviews provide the evidence to support the conclusions and recommendations contained\nin the SRR. The workpapers serve as the connecting link between the on-site review and the\nSRR, provide the sole support that the Office is fulfilling its responsibilities for oversight, and\nshould support the deficiencies identified and conclusions presented in the SRR.\nWe selected a statistically valid random sample7 of 50 agencies from a population of\n280 agencies that received FTI during Fiscal Year 2013. For the selected agencies, we analyzed\nthe on-site review documents contained in the Office\xe2\x80\x99s SharePoint site. During our review, we\nidentified agencies in our sample of 50 for which we were unable to perform a specific test.\nWhen this occurred, we determined the test could not be performed for the selected agency for\nthree main reasons:\n       1. The report/document being tested, e.g., SPR, SPR delivery acceptance form, SPR and\n          SAR acceptance letters, closing conference reports, interim reports, responses to the\n          interim reports, and final reports, was missing from the agency\xe2\x80\x99s file in the Office\xe2\x80\x99s\n          database.\n       2. We were unable to determine the specific outcome of the report/document for that\n          specific test. For example, an agency report may have been incomplete and missing the\n          necessary information or the determination of the test outcome was contingent on another\n          report/document that was missing.\n       3. The report/document was not applicable to the specific test for that agency. For example,\n          if an agency does not receive FTI, no tests conducted would apply to that agency or the\n          determination of the test outcome of a report/document was contingent on another\n          report/document that was incomplete.\nTherefore, for the three main reasons mentioned, the number of agencies tested for a specific\nreport/document will not equal the sample size of 50 because all tests could not be performed for\nall agencies.\nWe identified several deficiencies for the sample of 50 agency files reviewed. Figure 2 provides\na summary of our sample test results for timeliness of document delivery/receipt and review.\n\n\n\n\n7\n    The point estimate projections, shown in footnotes, are based on a two-sided 95 percent confidence interval.\n                                                                                                             Page 12\n\x0c                               The Office of Safeguards Should Improve\n                         Management Oversight and Internal Controls to Ensure\n                          the Effective Protection of Federal Tax Information\n\n\n             Figure 2: Timeliness of Document Delivery/Receipt and Review\n\n                                                                                     Range of Calendar\n                                                                Percentage             Days Over the\n             Description of                    Number of            of                  Timeliness\n          Timeliness Deficiency                Agencies          Agencies              Requirement\n    The SPR was not timely received.              3 of 418\xc2\xa0\xc2\xa0\xc2\xa0       7.32%             286 to 814 days late\n                                                            9\n    The SAR was not timely received.             19 of 34           55.9%              1 to 151 days late\n    The contractor did not timely review         32 of 3710         86.5%             3 to 1,276 days late\n    the SPR.\n    The contractor did not timely review         26 of 4311         60.5%              1 to 229 days late\n    the SAR.\n    The responses to interim reports             28 of 3512         80.0%              2 to 324 days late\n    were not timely received.\n    The biannual CAP reports were not            6 of 1313          46.2%               5 to 46 days late\n    timely received.\n    Corrective actions for catastrophic          9 of 1314          69.2%             162 to 927 days late\n    deficiencies were not timely received.\n    The interim report was not timely            13 of 3715         35.1%              9 to 551 days late\n    issued.\n    The final report was not timely              10 of 1816         55.6%              4 to 259 days late\n    issued.\n    Source: Treasury Inspector General for Tax Administration analysis of documents obtained from the Office\xe2\x80\x99s\n    SharePoint site.\n\n8\n  We estimate that the Office did not receive SPRs timely from 19 of the 280 agencies. We are 95 percent confident\nthat the true number of agencies in the population is between four and 51.\n9\n  We estimate that the Office did not receive SARs timely from 106 of the 280 agencies. We are 95 percent\nconfident that the true number of agencies in the population is between 69 and 148.\n10\n   We estimate that the Office did not review SPRs timely for 219 of the 280 agencies. We are 95 percent confident\nthat the true number of agencies in the population is between 175 and 250.\n11\n   We estimate that the Office did not review SARs timely for 155 of the 280 agencies. We are 95 percent confident\nthat the true number of agencies in the population is between 112 and 196.\n12\n   We estimate that the Office did not receive responses to interim reports timely from 178 of the 280 agencies. We\nare 95 percent confident that the true number of agencies in the population is between 134 and 217.\n13\n   We estimate that the Office did not receive biannual CAP reports timely from 58 of the 280 agencies. We are\n95 percent confident that the true number of agencies in the population is between 22 and 111.\n14\n   We estimate that the Office did not receive corrective action for catastrophic deficiencies timely from 54 of the\n280 agencies. We are 95 percent confident that the true number of agencies in the population is between 26 and 93.\n15\n   We estimate that the Office did not issue interim reports timely to 83 of the 280 agencies. We are 95 percent\nconfident that the true number of agencies in the population is between 47 and 127.\n16\n   We estimate that the Office did not issue final reports timely to 108 of the 280 agencies. We are 95 percent\nconfident that the true number of agencies in the population is between 57 and 166.\n                                                                                                            Page 13\n\x0c                                The Office of Safeguards Should Improve\n                          Management Oversight and Internal Controls to Ensure\n                           the Effective Protection of Federal Tax Information\n\n\nThe Office maintains the on-site review records and mandatory reporting for agencies receiving\nFTI using a folder for each agency on a SharePoint site. We performed testing on our sample of\n50 agencies and determined that required documentation was missing from the agency folders.\nFigure 3 provides a summary of the test results for missing required documentation.\n            Figure 3: Missing Required Documentation From Agency Folders\n\n                                                                    Number of                Percentage of\n              Missing Required Document                             Agencies                   Agencies\n     Current SPR                                                      5 of 4617                   10.9%\n                                                                                18\n     SPR delivery acceptance form                                     9 of 46                     19.6%\n     SPR acceptance letter                                            8 of 4619                   17.4%\n                                                                                20\n     SAR acceptance letter                                            2 of 45                      4.4%\n                                                                                21\n     Closing conference report                                        4 of 45                      8.9%\n                                                                                22\n     Interim report                                                   4 of 43                      9.3%\n                                                                                23\n     Response to interim report                                       3 of 39                      7.7%\n     Final report                                                     23 of 4224                  54.8%\n     Source: Treasury Inspector General for Tax Administration analysis of the Office\xe2\x80\x99s SharePoint site.\n\nIn addition to the results from the sample items presented in Figures 2 and 3, these on-site\nreviews contained deficiencies identified by the Office reviews, but in many instances these\ndeficiencies were not corrected timely by the agencies. In our analysis of the review files for the\n50 sampled agencies, we identified that 14 of the 50 agencies reviewed had catastrophic\ndeficiencies. Specifically:\n\n\n\n17\n   We estimate that the Office did not have in its database current SPRs for 28 of the 280 agencies. We are\n95 percent confident that the true number of agencies in the population is between nine and 61.\n18\n   We estimate that the Office did not have in its database SPR delivery acceptance forms for 50 of the 280 agencies.\nWe are 95 percent confident that the true number of agencies in the population is between 24 and 88.\n19\n   We estimate that the Office did not have in its database SPR acceptance letters for 45 of the 280 agencies. We are\n95percent confident that the true number of agencies in the population is between 20 and 82.\n20\n   We estimate that the Office did not have in its database SAR acceptance letters for 11 of the 280 agencies. We are\n95 percent confident that the true number of agencies in the population is between one and 39.\n21\n   We estimate that the Office did not have in its database closing conference reports for 22 of the 280 agencies. We\nare 95 percent confident that the true number of agencies in the population is between six and 54.\n22\n   We estimate that the Office did not have in its database interim reports for 22 of the 280 agencies. We are\n95 percent confident that the true number of agencies in the population is between six and 54.\n23\n   We estimate that the Office did not have in its database a response to the interim report for 17 of the 280 agencies.\nWe are 95 percent confident that the true number of agencies in the population is between four and 46.\n24\n   We estimate that the Office did not have in its database final reports for 129 of the 280 agencies. We are\n95 percent confident that the true number of agencies in the population is between 89 and 170.\n                                                                                                              Page 14\n\x0c                            The Office of Safeguards Should Improve\n                      Management Oversight and Internal Controls to Ensure\n                       the Effective Protection of Federal Tax Information\n\n\n   \xef\x82\xb7   Nine of the 14 agencies had catastrophic deficiencies that were not corrected timely.\n   \xef\x82\xb7   Six of the 14 agencies had catastrophic deficiencies between 583 and 1,017 calendar days\n       old and were not corrected at the completion of our review.\n   \xef\x82\xb7   One of the 14 agencies had 19 catastrophic deficiencies, or 70 percent of the total\n       deficiencies identified.\nThe Office\xe2\x80\x99s management does not have documented policies and procedures, roles and\nresponsibilities, performance metrics, and performance metrics reporting to ensure that\nrequirements are met. Additionally, the Office only has legal enforcement authority in\nI.R.C. \xc2\xa7 6103(p)(4) and (7) to withhold FTI if agencies do not timely correct deficiencies or\nestablish required safeguards. The Office does not have legal authority to impose any penalties\nor other enforcement tactics to compel agency compliance.\nWithout the receipt and submission of complete and timely reporting by the Office and agencies\nreceiving FTI, the Office cannot ensure that FTI received by agencies is properly safeguarded.\nWhen documentation is missing within agency review files, there is not sufficient evidence that\nthe Office has performed its oversight responsibilities of agencies receiving FTI. Additionally,\nthe Office does not restrict an agency\xe2\x80\x99s access to FTI data until deficiencies identified are\ncorrected. Deficiencies not corrected could lead to internal or external breaches of FTI.\nTherefore, the Office cannot completely assure taxpayers that their FTI is protected.\nManagement actions\nDuring this audit, the Office started to make efforts to add controls that will assist in its oversight\nof agencies that receive FTI. It recently migrated to a single database, called Entellitrak.\nAccording to the Office\xe2\x80\x99s management, this new system will be the single application through\nwhich all of the Office\xe2\x80\x99s review documentation, reporting, and on-site review schedules are\ntracked and maintained. Prior to the deployment of Entellitrak, three independent databases\nwere used to track reports, deficiencies, and related work. Management believes combining the\nfunctionality of the three databases into one will assist in supporting and managing the Office as\nmore agencies request FTI.\nAdditionally, as of April 2013, the Office conducted status meetings with its contractor\ninformation technology specialists to ensure that SPR and SAR reviews are conducted timely.\nOffice management also has a procedure that should increase the oversight of agencies by\ncontacting agencies when SARs and CAP reports are delinquent.\n\n\n\n\n                                                                                              Page 15\n\x0c                          The Office of Safeguards Should Improve\n                    Management Oversight and Internal Controls to Ensure\n                     the Effective Protection of Federal Tax Information\n\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 6: Establish roles and responsibilities for ensuring that the master list of\nagencies receiving FTI subject to I.R.C. \xc2\xa7 6103(p)(4) from the IRS is timely updated and\nmaintained.\n       Management\xe2\x80\x99s Response: The new Entellitrak management information system\n       deployed in August 2013 provides enhanced and accurate tracking capabilities for the list\n       of active agencies, reports, and related documents.\nRecommendation 7: Establish roles and responsibilities for ensuring that the Office of\nSafeguards\xe2\x80\x99 review schedule is maintained and updated timely.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Office of\n       Safeguards will develop a more comprehensive review schedule process that lists all\n       agencies and documents all risk-based deviations from the three-year review cycle.\n       There are multiple reasons to adjust the on-site review dates for certain agencies, and\n       specific criteria will be implemented to ensure that proper evaluation has taken place for\n       any review changes.\nRecommendation 8: Establish a review process for the Office of Safeguards\xe2\x80\x99 database to\nensure that all required agency documents are tracked, maintained, and accurately documented in\neach agency\xe2\x80\x99s file.\n       Management\xe2\x80\x99s Response: The new Entellitrak management information system\n       deployed in August 2013 provides enhanced and accurate tracking capabilities for the list\n       of active agencies, reports, and related documents. Complete agency files are now\n       monitored and audited as part of the quality review process to ensure proper inclusion of\n       all required documents.\n\n\n\n\n                                                                                         Page 16\n\x0c                              The Office of Safeguards Should Improve\n                        Management Oversight and Internal Controls to Ensure\n                         the Effective Protection of Federal Tax Information\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the Office of Safeguards effectively provides\noversight of agencies that receive FTI. To determine the effectiveness of the oversight of\nagencies, we interviewed management, observed two on-site agency reviews, obtained the\nOffice\xe2\x80\x99s annual reports to Congress, and reviewed policies on background investigations of\nagencies that receive FTI, information technology security test plans, and the Office\xe2\x80\x99s agency\nfiles of report documents.\nTo accomplish our objective, we:\nI.      Evaluated the Office\xe2\x80\x99s procedures and determined its adequacy in protecting FTI.\n        A. Conducted walkthroughs of two agencies that receive FTI.\n        B. Reviewed the guidance used by the Office and compared it to I.R.C. \xc2\xa7 6103(p)(4) to\n           determine whether it is consistent with the law.\n        C. Reviewed Government criteria and compared it to Publication 1075, Tax Information\n           Security Guidelines for Federal, State, and Local Agencies, and other additional\n           guidance the Office uses to identify internal controls that would ensure adequate\n           protection of FTI.\n        D. Determined whether all agencies that receive FTI are reviewed at least once every\n           three years in accordance with IRM 11.3.36 by comparing the Office\xe2\x80\x99s list of\n           agencies that receive FTI to the most recent three-year on-site review schedule.\nII.     Determined whether the Office adequately monitored the agencies that receive FTI.\n        A. Through discussions with management, determined how the Office tracks and\n           controls the documents received from agencies.\n        B. Conducted a statistical sample1 of 50 agencies from a population of 280 agencies that\n           received FTI in Fiscal Year 2013. We determined the Office\xe2\x80\x99s maintenance and\n           timeliness of the agencies\xe2\x80\x99 report documents issued to and submitted by the agencies.\n           We reviewed agencies that had an on-site review from the Office conducted in Fiscal\n           Years 2011, 2012, or 2013 and did not identify any agencies that were reviewed more\n           than once during the three-year cycle. We determined whether report documents the\n\n\n1\n  A contract statistician assisted with developing our sampling plans and projections. We selected a statistical\nsample because we wanted to estimate the total number of agencies for which report documents were missing and/or\nreviewed or received untimely.\n                                                                                                       Page 17\n\x0c                              The Office of Safeguards Should Improve\n                        Management Oversight and Internal Controls to Ensure\n                         the Effective Protection of Federal Tax Information\n\n\n            Office receives from the agencies are kept up to date in its databases and obtained\n            timely. We projected two-sided 95 percent confidence intervals for the population\n            exception rate and the population number of exception agencies using a pass or fail\n            methodology.\n        C. We reviewed the SPRs and the SARs for the random statistical sample of 50 agencies\n           from Step II.B. to determine maintenance and timeliness of reviews and receipt of the\n           reports.\n        D. Reviewed interim reports and final reports for the random statistical sample of\n           50 agencies from Step II.B. to determine maintenance and timeliness of issuance.\n        E. Reviewed CAP reports for the random statistical sample of 50 agencies from\n           Step II.B. to determine maintenance and timeliness of reviews and receipt of the\n           reports.\nIII.    Conducted a random sample2 of 15 agencies from a population of 62 agencies that\n        received FTI in Fiscal Year 2013. We requested each agency\xe2\x80\x99s background investigation\n        policies and procedures. We reviewed policies and procedures for the employee\n        background investigations conducted by 15 agencies to determine consistency with the\n        IRS\xe2\x80\x99s background policies and procedures for employees with access to FTI.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: the IRS\xe2\x80\x99s policies, procedures,\nand practices for providing oversight to agencies that receive FTI in accordance with\nI.R.C. \xc2\xa7 6103(p)(4). We evaluated these controls by interviewing management and reviewing\nagencies\xe2\x80\x99 policies on background investigations, information technology security test plans, and\nthe Office\xe2\x80\x99s agency files and report documents.\n\n\n\n\n2\n We used a random sample to ensure that each agency had an equal chance of being selected, which enabled us to\nobtain sufficient evidence to support our results.\n                                                                                                       Page 18\n\x0c                          The Office of Safeguards Should Improve\n                    Management Oversight and Internal Controls to Ensure\n                     the Effective Protection of Federal Tax Information\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nJohn Ledford, Audit Manager\nChanda Stratton, Lead Auditor\nRyan Perry, Senior Auditor\nAnthony Morrison, Auditor\nMike Mohrman, Senior Information Technology Specialist\n\n\n\n\n                                                                                     Page 19\n\x0c                         The Office of Safeguards Should Improve\n                   Management Oversight and Internal Controls to Ensure\n                    the Effective Protection of Federal Tax Information\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDirector, Privacy, Governmental Liaison, and Disclosure OS:P\nDirector, Governmental Liaison, Disclosure, and Safeguards OS:P:GLDS\nDirector, Safeguards OS:P:S\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nChief Counsel CC\nNational Taxpayer Advocate TA\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Director, Privacy, Governmental Liaison and Disclosure OS:P:PGLD\n       Director, Governmental Liaison, Disclosure and Safeguards OS:P:GLDS\n\n\n\n\n                                                                               Page 20\n\x0c                               The Office of Safeguards Should Improve\n                         Management Oversight and Internal Controls to Ensure\n                          the Effective Protection of Federal Tax Information\n\n\n                                                                                               Appendix IV\n\n                                     Glossary of Terms\n\n              Term                                                   Definition\nAffordable Care Act                The Patient Protection and Affordable Care Act of 20101 and the\nLegislation                        Health Care and Education Reconciliation Act of 20102 are\n                                   collectively referred to as the ACA. In March 2010, President\n                                   Obama signed the ACA into law. The legislation seeks to provide\n                                   more Americans with access to affordable health care, enforce\n                                   patient/consumer protections, and provide Government subsidies\n                                   for people who cannot afford insurance.\nCatastrophic                       The most serious deficiency identified during on-site reviews.\n                                   Agencies must correct this type of deficiency within three months\n                                   of the on-site review closing conference.\nElectronic Disclosure              Used by the Office of Safeguards prior to the implementation of\nInformation Management             the Entellitrak database system for tracking and controlling, work\nSystem                             planning, and management reporting.\nEntellitrak                        Integrated system used to capture, track, and manage data related\n                                   to agencies that receive FTI. The Office of Safeguards\n                                   implemented Entellitrak in August 2013. It combines the\n                                   functionality of the former multiple software applications the\n                                   Office of Safeguards used into a single integrated solution which\n                                   will more efficiently support and manage the increased business\n                                   needs of the Office of Safeguards.\nFederal Tax Information            Confidential tax information reported to the IRS and synonymous\n                                   with tax returns and return information.\nFiscal Year                        Any yearly accounting period, regardless of its relationship to a\n                                   calendar year. The Federal Government\xe2\x80\x99s fiscal year begins on\n                                   October 1 and ends on September 30.\n\n\n\n\n1\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n2\n  Pub. L. No. 111-152, 124 Stat. 1029. (See Affordable Care Act, infra).\n                                                                                                          Page 21\n\x0c                             The Office of Safeguards Should Improve\n                       Management Oversight and Internal Controls to Ensure\n                        the Effective Protection of Federal Tax Information\n\n\n\n              Term                                       Definition\nInternal Revenue Code        Section of the I.R.C. that provides safeguard regulations governing\nSection 6103(p)(4)           confidentiality of FTI for agencies that receive FTI.\nInternal Revenue Manual      Section of the IRS\xe2\x80\x99s IRM that is dedicated to the Office of\nSection 11.3.363             Safeguards to provide procedural and operational supervision for\n                             its staff.\nIRS Publication 1075, Tax    Provides FTI security guidelines for Federal, State, and local\nInformation Security         agencies required to establish procedures to ensure the adequate\nGuidelines for Federal,      protection of FTI received.\nState, and Local Agencies\nNational Institute of        Provides standards and guidelines for information security,\nStandards and Technology     including minimum requirements for Federal information\nSpecial Publication          technology systems.\n800-53, Recommended\nSecurity Controls for\nFederal Information\nSystems and\nOrganizations4\nSharePoint Site              Used by the Office of Safeguards prior to the implementation of\n                             the Entellitrak database system for maintaining report documents\n                             related to the Office\xe2\x80\x99s reviews of agencies that receive FTI.\n\n\n\n\n3\n    Dated Aug. 2008.\n4\n    Dated Aug. 2009.\n                                                                                           Page 22\n\x0c            The Office of Safeguards Should Improve\n      Management Oversight and Internal Controls to Ensure\n       the Effective Protection of Federal Tax Information\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 23\n\x0c      The Office of Safeguards Should Improve\nManagement Oversight and Internal Controls to Ensure\n the Effective Protection of Federal Tax Information\n\n\n\n\n                                                   Page 24\n\x0c      The Office of Safeguards Should Improve\nManagement Oversight and Internal Controls to Ensure\n the Effective Protection of Federal Tax Information\n\n\n\n\n                                                   Page 25\n\x0c      The Office of Safeguards Should Improve\nManagement Oversight and Internal Controls to Ensure\n the Effective Protection of Federal Tax Information\n\n\n\n\n                                                   Page 26\n\x0c      The Office of Safeguards Should Improve\nManagement Oversight and Internal Controls to Ensure\n the Effective Protection of Federal Tax Information\n\n\n\n\n                                                   Page 27\n\x0c'